Method and system for determining whether domain names are legitimate or malicious
First Claim
Patent Images
1. A method of detecting malicious network behavior by teaching at least one reputation engine to determine whether at least one new domain name is likely to be used for malicious or legitimate uses, the method comprising:
- obtaining passive domain name system (DNS) query information, utilizing the at least one reputation engine in communication with at least one database, wherein the passive DNS query information is obtained using passive DNS collectors from DNS information;
utilizing, using the at least one reputation engine, the passive DNS query information to measure statistical features of known malicious domain names and known legitimate domain names, wherein the statistical features comprise network-based features and/or zone-based features, the network-based features describing how operators who own the at least one domain name and IP addresses the at least one domain name points to are able to allocate their network resources, and the zone-based features measuring a set of related historic domain names (RHDNs) of domain names historically associated with the at least one new domain name; and
utilizing the statistical features to determine at least one reputation for the at least one new domain name, by teaching the at least one reputation engine to determine whether the at least one new domain name is likely to be used for malicious or legitimate uses, and thus determine if the network communication is malicious or benign.
14 Assignments
0 Petitions
Accused Products
Abstract
A system and method for determining whether at least one domain is legitimate or malicious by obtaining passive DNS query information, using the passive DNS query information to measure statistical features of known malicious domain names and known legitimate domain names, and using the statistical features to determine at least one reputation for at least one new domain, where the reputation indicates whether the at least one new domain is likely to be for malicious or legitimate uses.
-
Citations
18 Claims
-
1. A method of detecting malicious network behavior by teaching at least one reputation engine to determine whether at least one new domain name is likely to be used for malicious or legitimate uses, the method comprising:
-
obtaining passive domain name system (DNS) query information, utilizing the at least one reputation engine in communication with at least one database, wherein the passive DNS query information is obtained using passive DNS collectors from DNS information; utilizing, using the at least one reputation engine, the passive DNS query information to measure statistical features of known malicious domain names and known legitimate domain names, wherein the statistical features comprise network-based features and/or zone-based features, the network-based features describing how operators who own the at least one domain name and IP addresses the at least one domain name points to are able to allocate their network resources, and the zone-based features measuring a set of related historic domain names (RHDNs) of domain names historically associated with the at least one new domain name; and utilizing the statistical features to determine at least one reputation for the at least one new domain name, by teaching the at least one reputation engine to determine whether the at least one new domain name is likely to be used for malicious or legitimate uses, and thus determine if the network communication is malicious or benign. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system of detecting malicious network behavior by teaching at least one reputation engine to determine whether at least one new domain name is likely to be used for malicious or legitimate uses, the system comprising:
-
at least one reputation engine in communication with at least one hardware processor and at least one database, the at least one reputation engine configured for; obtaining passive domain name system (DNS) query information, wherein the passive DNS query information is obtained using passive DNS collectors; utilizing the passive DNS query information to measure statistical features of known malicious domain names and known legitimate domain names, wherein the statistical features comprise network-based features and/or zone-based features, the network-based features describing how operators who own the at least one domain name and IP addresses the at least one domain name points to are able to allocate their network resources, and the zone-based features measuring a set of related historic domain names (RHDNs) of domain names historically associated with the at least one new domain name; and utilizing the statistical features to determine at least one reputation for the at least one new domain name, by teaching the at least one reputation engine to determine whether the at least one new domain name is likely to be used for malicious or legitimate uses, and thus determine if the network communication is malicious or benign. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
Specification